While most of the recent Log4j attacks have targeted Linux servers, researchers have been studying a new strain of ransomware — Khonsari — that attacks Windows systems.
Bitdefender first reported about Khonsari on Monday in a blog, where it said that the malicious payload was downloaded as a .NET binary written in C#.
On Tuesday, Cado Security released new research on Khonsari that described Khonsari in more detail. The researchers admitted that Khonsari was “a bit boring,” weighing in at only 12 kilobytes.
“It contains the most basic functionality required to perform its ransomware tasks,” the researchers said. “It’s size and simplicity is also a strength however — at the time we ran the malware dynamically it wasn’t detected by the systems built in antivirus.”
Chris Doman, co-founder and CTO at Cado Security, said on the ransomware front, his team typically sees a two-week “incubation period” after attackers initially enter a network.
“This is before they have spread and gained sufficient access to deploy ransomware across the whole network,” Doman said. “So we may see more impact in the coming days and weeks.”
John Bambenek, principal threat hunter at Netenrich, said while this specific malware is basic, a ransomware event was inevitable. He said as attackers continue to use this vulnerability, they will deploy increasingly sophisticated payloads to achieve a wide variety of objectives.
“Luckily, this is not the organizational crippling ransomware we are used to seeing in the headlines, but it is still impactful when webservers get taken down,” Bambenek said. “This highlights the need that if organizations are going to go down the CI/CD pipeline, continuous patching and security hardening must also be a component of the workflow.”
Dor Dali, director of information security at Vulcan Cyber, added that when we saw the first exploit of this vulnerability in Minecraft, an RPG game, as a zero-day attack, it was eye-opening. However, Dali said ransomware, while more expected, reveals the criticality of the looming Log4shell threat for those who don’t take immediate steps to analyze the risk and mitigate instances of it found in their production environments.
“Log4shell is very easy to exploit and is bringing all the threat actors to the yard to play,” Dali said. “We are seeing and can expect everyone from script kiddies to nation-state groups and professional cyber criminals to try their hand at exploiting this vulnerability for any number of reasons. Ransomware will continue to be a favorite playbook for cyber criminals abusing the Log4j vulnerability.”
John Hammond, senior security researcher at Huntress, said exploring the Khonsari ransomware sample validates the same findings from Bitdefender and Cado Security. Hammond said the Java code executed by the Log4j exploit reaches out to an external domain, downloading an executable to deploy ransomware. The executable is a slightly obfuscated C# assembly, which security pros can examine with open-source tools. Currently, the external domain is offline. All the payloads in this specific attack have been hosted at 3.145.115[.]94, which, at least according to Shodan from Dec. 12, was an AWS hosted server.
“Thus far, this is the only indicator of ransomware we have deployed by the Log4j vulnerability — but there's a strong chance there's more on the horizon,” Hammond concluded.